From f549fc7bdcc9b435236de5594bec0ed8e587988c Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Thu, 26 Feb 2026 11:57:17 +0000 Subject: [PATCH 1/2] Fix null pointer dereference in string to names In mbedtls_x509_string_to_names() we were not checking for allocation failures. An allocation failure would lead to a memcpy() to a null pointer address. Fix this by checking the result of the call to mbedtls_calloc() and returning MBEDTLS_ERR_X509_ALLOC_FAILED in the error case. Signed-off-by: David Horstmann --- library/x509_create.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/x509_create.c b/library/x509_create.c index 370eb9b2e1..e424cbb47c 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -487,6 +487,9 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam } else { oid.len = strlen(attr_descr->oid); oid.p = mbedtls_calloc(1, oid.len); + if (oid.p == NULL) { + return MBEDTLS_ERR_X509_ALLOC_FAILED; + } memcpy(oid.p, attr_descr->oid, oid.len); numericoid = 0; } From 2acb9a2e7b4ed18aaa32d4ce65f90279e94455d5 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Thu, 26 Feb 2026 14:04:40 +0000 Subject: [PATCH 2/2] Add ChangeLog entry for NULL dereference fix Signed-off-by: David Horstmann --- ChangeLog.d/fix-null-pointer-dereference.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/fix-null-pointer-dereference.txt diff --git a/ChangeLog.d/fix-null-pointer-dereference.txt b/ChangeLog.d/fix-null-pointer-dereference.txt new file mode 100644 index 0000000000..1eb3c416a8 --- /dev/null +++ b/ChangeLog.d/fix-null-pointer-dereference.txt @@ -0,0 +1,4 @@ +Security + * Fix a NULL pointer dereference in mbedtls_x509_string_to_names() when + mbedtls_calloc() fails to allocate memory. This was caused by failing to + check whether mbedtls_calloc() returned NULL.